CompTIA Security Plus Mock Test Q685

Joe a company’s new security specialist is assigned a role to conduct monthly vulnerability scans across the network. He notices that the scanner is returning a large amount of false positives or failed audits. Which of the following should Joe recommend to remediate these issues?

A. Ensure the vulnerability scanner is located in a segmented VLAN that has access to the company’s servers
B. Ensure the vulnerability scanner is configured to authenticate with a privileged account
C. Ensure the vulnerability scanner is attempting to exploit the weaknesses it discovers
D. Ensure the vulnerability scanner is conducting antivirus scanning


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
The vulnerability scanner is returning false positives because it is trying to scan servers that it doesn’t have access to; for example, servers on the Internet.
We need to ensure that the local network servers only are scanned. We can do this by locating the vulnerability scanner in a segmented VLAN that has access to the company’s
servers.
A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.
In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE – unsolicited bulk email, as junk email is more formally known. Messages that are
determined to be spam – whether correctly or incorrectly – may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail.
One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentally
blocking an important message has been enough to deter many companies from implementing any anti-spam measures at all.
False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and
ports. When activity varies outside of an acceptable range – for example, a remote application attempting to open a normally closed port — an intrusion may be in progress. However,
an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be
high.
False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.

Incorrect Answers:
B: The vulnerability scanner should not be configured to authenticate with a privileged account. This is not required for a successful scan and is not the cause of the false positives and
failed audits.
C: The vulnerability scanner should not be attempting to exploit the weaknesses it discovers. It should just log the weaknesses. Attempting to exploit weaknesses is performed in a
penetration test. This is not the job of a vulnerability scanner.
D: The vulnerability scanner should not be conducting antivirus scanning. This is not the job of a vulnerability scanner and is not the cause of the false positives and failed audits.

References:
http://whatis.techtarget.com/definition/false-positive